WO2007023107A1 - Identification de sequences d'entree - Google Patents

Identification de sequences d'entree Download PDF

Info

Publication number
WO2007023107A1
WO2007023107A1 PCT/EP2006/065312 EP2006065312W WO2007023107A1 WO 2007023107 A1 WO2007023107 A1 WO 2007023107A1 EP 2006065312 W EP2006065312 W EP 2006065312W WO 2007023107 A1 WO2007023107 A1 WO 2007023107A1
Authority
WO
WIPO (PCT)
Prior art keywords
sequence
sequences
response action
identified sequences
monitored
Prior art date
Application number
PCT/EP2006/065312
Other languages
English (en)
Inventor
Boaz Mizrachi
Shmuel Ur
Elad Yom-Tov
Original Assignee
International Business Machines Corporation
Ibm United Kingdom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corporation, Ibm United Kingdom Limited filed Critical International Business Machines Corporation
Publication of WO2007023107A1 publication Critical patent/WO2007023107A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2101Auditing as a secondary aspect

Definitions

  • the present invention relates generally to the field of expert systems in data processing.
  • the present invention relates to a method and system for identification of input sequences.
  • Many tasks typically include sequences of inputs or commands that are routinely performed by end users on their computers. For example, such a sequence may be performed when a user starts working and opens her mail program, favorite web-sites, etc.
  • Some software packages e.g., Microsoft® Word (trademark of Microsoft Corporation) and Matlab® (trademark of the Mathworks, Inc) , enable users to record sequences and perform them by using a single command.
  • U.S. Patent 5,448,739 describes a method of recording, playback and re-execution of application program call sequences and import and export of data in a digital computer system. However, typically the user is required to identify the frequently occurring command sequences and define them as a macro.
  • U.S. Patent 6,690,392 describes a method system software and signal for automatic generation of macro commands .
  • Sequences of inputs or commands may, in some cases, lead to undesired or unlawful actions. These actions should be identified and stopped before they are carried out.
  • a known technique in computer security for preventing undesired or unlawful actions is called intrusion detection.
  • Intrusion detection methods typically monitor the computer environment, including aspects such as the network being monitored, etc., and look for patterns that seem 'suspicious'.
  • Intrusion detection tools employ a diverse set of techniques. Some use statistical analysis to find whether there is some sequence of inputs or commands that are statistically unexpected, while others check if the performed sequence is known as a harmful or malicious sequence by comparing the sequence to a list of known harmful or malicious sequences which is typically maintained by the provider of the intrusion detection tool. The comparison may be, for example, a string comparison technique.
  • U.S. Patent 5,278,901 assigned to the same assignees of the present invention, describes a pattern-oriented intrusion detection system and method.
  • M. Nisenson et al. "Towards Behaviometric Security Systems: Learning to Identify a Typist", Proceedings of the 7th European Conference on Principles and Practice of Knowledge Discovery in Databases (ECML/PKDD) , pp. 363-374, 2003, describes utilizing sequences of events for typist identification, by using the temporal sequence of keyboard events .
  • a computer-implemented method for identifying and responding to sequences of commands including monitoring a plurality of commands received by an input device of a computer, analyzing the commands to identify a sequence thereof, and responsive to the identification of the sequence, determining a response action for execution by the computer.
  • the step of monitoring the plurality of commands further includes applying a randomly selected sequence to analysis.
  • the step of monitoring the plurality of commands further includes selecting a sequence for analysis every predetermined timeframe.
  • the step of monitoring the plurality of commands further includes applying the monitored sequence responsive to a sequence particularly tracked is the step of monitoring.
  • the step of analyzing the commands further includes comparing the monitored sequence to a list of identified sequences.
  • the step of comparing the monitored sequence further includes comparing the monitored sequence to a local list of identified sequences which is saved on the station of the user, and if the monitored sequence was not found in the local list of identified sequences, comparing the monitored sequence to a central list of identified sequences which is saved in a central repository.
  • the central list includes the identified sequences of all users connected to the central repository.
  • the step of comparing the monitored sequence to the central list includes determining a response action if the monitored sequence was not coupled to the central list of identified sequences, or if a multiplicity of sequences were coupled to the central list of identified sequences .
  • the step of determining the response action is done by a human operator.
  • the step of determining the response action is done automatically.
  • the step of determining the response action is done by the user.
  • an apparatus for identification and response to sequences of commands including a sequence tracker unit to track a selected sequence for identification from a plurality of commands received by an input device, a logic unit to analyze the selected sequence, a first database of a plurality of identified sequences, each of the identified sequences are coupled to at least one known response action, and a response action determination unit to determine a response action to the selected sequence, if the selected sequence is not coupled to the known response action in the database, or if the selected sequence is couple to a plurality of known response actions.
  • the at least one known response action is tagged to the identified sequence in the first database.
  • the at least one known response action is stored in a second database of a plurality of known response actions.
  • the selected sequence is tracked randomly by the sequence tracker.
  • the selected sequence is tracked by the sequence tracker every predetermined timeframe .
  • the selected sequence is selectively tracked by the sequence tracker in response to a particular sequence.
  • the logic unit compares the selected sequence to the plurality of identified sequences .
  • the response action determination unit transfers the selected sequence or the plurality of known response actions for an operator or a user to determine a response action.
  • a system for identification and response to sequences of commands including at least one computer station, the station includes a sequence tracker unit to track a selected sequence for identification from a plurality of commands received by an input device.
  • the system further includes a central repository to centrally store a plurality of identified sequences in a database of identified sequences, each of the identified sequences is coupled to a known response action, the central repository includes a logic unit to analyze the selected sequence, and a response action determination unit to determine a response action to the selected sequence, if the selected sequence is not coupled to the known response action in the database, or if the selected sequence is couple to a plurality of known response actions.
  • the at least one computer station further includes a local database to store a a plurality of identified sequences in a database of identified sequences, each of the identified sequences is coupled to a known response action.
  • the at least one computer station further includes a local logic unit to locally analyze the selected sequence.
  • the local logic unit transfers the selected sequence for further analysis by the central repository if no identified sequence was found by the local logic unit.
  • a computer program product stored on a computer readable storage medium, comprising computer readable program code means for performing the steps of monitoring a plurality of commands received by an input device of a computer, analyzing the commands to identify a sequence thereof, and responsive to the identification of the sequence, determining a response action for execution by the computer.
  • a method of providing a service to a customer over a network including monitoring a plurality of commands received by an input device of a computer, analyzing the commands to identify a sequence thereof, and responsive to the identification of the sequence, determining a response action for execution by the computer.
  • Fig. 1 is a block diagram that schematically illustrates a system for automatic identification of sequences, in accordance with an embodiment of the present invention
  • Fig. 2 is a flow chart diagram that schematically illustrates a method of automatic identification of sequences, in accordance with an embodiment of the present invention
  • Fig. 3 is a flow chart diagram that schematically illustrates a method of automatic identification of installation sequences, in accordance with an embodiment of the present invention.
  • Fig. 4 is a flow chart diagram that schematically illustrates a method for automatically identification of malicious or undesired sequences, in accordance with an embodiment of the present invention. It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numbers may be repeated among the figures to indicate corresponding or analogous features.
  • Such an automatic identification may be useful, for example, to automatically generate a macro for the user, to identify undesired or malicious actions and stop them, and to assist the user in solving problems related, for example, to actions performed by many users, such as installation of new software or access to common data storage areas, etc., as will be described in detail below.
  • sequence a sequence of inputs or commands (hereinafter the term "sequence" will be used for simplicity) that is used repeatedly by a group of users, or repeatedly by a specific user, may increase the efficiency and usability of the tasks being performed by the user or the group of users. Furthermore, such identification may also assist in providing solutions to users based on previous solutions provided by other users and previously identified. For example, a system may identify, based on a sequence of commands of a software application, that the software being executed is reaching its memory limit, and it may suggest solutions to the user of the software application. The solution may be one of many solutions that other users found, and that were recorded and saved by the system.
  • a sequence is defined herein as a chronological chain of inputs or commands, which at each time instance preferably includes a system state, e.g., which relevant programs are currently running, which thread is using the operating resources, etc., and which user input, e.g., keyboard entry, mouse movement, etc., is currently entered.
  • Such sequences may be automatically identified by, for example, tracking user behavior over a certain length of time, as will be described in detail below.
  • the chronological chain may be decomposed into sub-chains in order to identify common actions, allowing various algorithms, including but not limited to clustering algorithms, string comparison algorithms, and other machine learning algorithms, to be executed to detect characteristics of the sub-chains.
  • the frequency rate of the occurrence of the sub-chains, or the probable state change e.g., the most likely action (input entry or command) that may be taken after a certain sub-chain is executed, etc.
  • Any such identified sub-chain which occurs, for example, at a frequency above a threshold level, or above a certain likelihood, is a candidate for definition as a response action, for example, a macro.
  • This threshold may be defined by the user or by an external user, such as an administrator of the computer system of the user.
  • undesired or malicious sequences may be prevented or stopped before they are carried out.
  • Undesired or malicious sequences may be defined by a security manager or automatically as will be described in detail below.
  • Security breaches may then be prevented by informing the administrator or reacting according to rules of a security policy, e.g., shutting down a computer, in response to the identification of undesired or malicious sequence.
  • a security policy e.g., shutting down a computer, in response to the identification of undesired or malicious sequence.
  • Such a sequence may be generated by a malicious code, e.g., a computer virus etc., or by the user.
  • FIG. 1 is a block diagram that schematically illustrates a system 20 for automatic identification of sequences, in accordance with an embodiment of the present invention.
  • Stations 24 of users 22 are connected to central repository 26.
  • Stations 24 may communicate with central repository 26 using a temporary or a permanent network connection, such as an Internet connection.
  • stations 24 may connect to central repository 26 using a direct connection such as a leased line or a dial-up connection, or using any other suitable connection means .
  • Central repository 26 may be a dedicated server, or a repository in a shared server. It may be integral to the internal network of users 22, or external to it.
  • a personal station 24 of user 22 may be, for example, a personal computer, a laptop computer, a Personal Digital Assistant (PDA), etc.
  • Station 24 may include I/O devices 241 such as a network adaptor, keyboard, mouse, a display, etc. I/O devices 241 may be connected to an input receiver unit 242.
  • I/O devices 241 may be connected to an input receiver unit 242.
  • Input receiver unit 242 may receive and centralize the inputs from all I/O devices 241. It may include a sequence tracker unit 243.
  • sequence tracker unit 243 may be a distinct unit in station 24, connected to input receiver unit 242, or it may be embedded in central repository 26.
  • Sequence tracker unit 243 may track sequences such as, but not limited to, the following sequences:
  • the frequency level may be configured manually by user 22, by the operator of system 20, or automatically by any of the machine learning algorithms mentioned above.
  • sequence tracker unit 243 may track sequences that are originated from I/O devices 241, and in addition, it may track sequences of applications executed in station 24.
  • Station 24 may further include a logic unit 244 to control and process identification of the sequences.
  • logic unit 244 may be embedded in central repository 26.
  • the logic unit 244 may be connected to the input receiver unit 242 and to a database 245 of known sequences or sequences that may be allowed to be performed, and their respective response actions.
  • Logic unit 244 may also be connected to central repository 26 for analysis and comparison of sequences that are not found in database 245.
  • Central repository 26 may include a sequence comparison unit 264, which may receive the sequences transferred from stations 24 with identified sequences previously transferred from stations 24 and stored in database 265A. The sequences stored in database 265A may be tagged to the respective response action to be performed. Alternatively or additionally, central repository 26 may include a database 265B of response actions that may be matched to a sequence from database 265A. The sequence comparison unit 264 may be connected to databases 265A and 265B, and to a response action determination unit 262. Sequence comparison unit 264 may match sequences from database 265A to response actions 265B.
  • the matched response action may then transfer the matched response action to users 22, or, if no match was found, or if multiple matches were found, it may transfer the sequence and the response actions to the response action determination unit 262.
  • the multiple response actions may be presented to user 22 to determine what response action is the applicable response action.
  • Response action determination unit 262 may display unidentified sequences to an operator 28 of system 20. Alternatively, it may display sequences with multiple response actions to the operator 28 of the system, to allow the operator to decide which response action should be matched with the identified sequence. It should be noted that response action determination unit 262 may make decisions automatically, as will be described in detail below. After determining what the desired response action is, whether the determination is performed by operator 28 or automatically by response action determination unit 262, or as described above by the user 22, the response action may be distributed to stations 24. Additionally, the response action may be tagged to the respective sequence in database 265A, and/or it may be stored in database 265B, for future use.
  • Fig. 2 is a flow chart diagram that schematically illustrates a method of automatic identification of sequences, in accordance with an embodiment of the present invention.
  • the method of Fig. 2 may be implemented by the system of Fig. 1.
  • Sequence tracker unit 243 continuously monitors sequences reported by input receiver unit 242, at a monitoring step 30.
  • Sequence tracker unit 243 may apply logic unit 244 to the sequences, at a sequence application step 32.
  • the application step may be performed at random or predetermined intervals, or selectively in response to a particular sequence tracked by the sequence tracker unit 243, or further in response to a trigger action performed by the user.
  • an error in the installation process may be particularly tracked by the sequence tracker unit 243.
  • the application step may be performed at random or predetermined intervals.
  • the application step may be performed on a sequence of actions executed at a specific time.
  • the logic unit 244 and the database 245 may jointly analyze the sequences at a sequence analysis step 34.
  • Logic unit may use a variety of algorithms to identify the sequences as will be described in detail below. If a sequence is not identified and it is not stored in database 245 (step 36) , the sequence may be transferred to central repository 26, at a transfer sequence step 38. The sequence may also be transferred from the input receiver unit 242 to the central repository 26 when the tracking of the sequence and the logical operations are performed in central repository 26. The transferred sequences may then be compared to the identified sequences in database 265A at a sequence comparison step 40.
  • the sequence or the sequences may be transferred to response action determination unit 262 for analysis by a human operator or for automatic analysis, at an analysis request step 42. If a sequence is found and a response action is tagged to it, or a response action is found in database 265B, the response action is transferred to station 24 for execution, at a response action transfer step 44. If multiple response actions are matched to the analyzed sequence, the response actions are transferred to the response action determination unit 262 for analysis by a human operator, at the analysis request step 42 mentioned above. According to the analysis performed by the human operator, a response action is transferred to station 24 for execution, at the response action transfer step 44 mentioned above.
  • the multiple response actions may be presented to user 22, to determine and execute what response action is the applicable response action, at a determination and execution step (not shown) .
  • the identified sequences and the respective response actions are stored in databases 245 of stations 24, and/or in databases 265A and 265B. New identified sequences are transferred to databases 245 for update.
  • Response action determination unit 262 may control the updating process. Updates may be sent periodically, such as on a weekly basis or any other frequency, as defined by the users or by the operator of system 20. Important updates, e.g., response actions to sequences performing crucial security violations or breaches, response actions to software installation sequences, etc., may be sent to users upon identifying them and storing them at databases 265A and 265B.
  • Logic unit 244 may implement any of several possible methods to analyze the sequences. As will be described below, similar methods may be used by response action determination unit 262 to determine which response action is to be performed in response to an unidentified sequence, or which response action is to be performed from one or more applicable response actions .
  • one method is to ask the users for feedback about the sequences that led their software application or station to the current position.
  • logic unit 244 may analyze sequences in two steps. First, it may measure the distance between sequences, e.g., the level of similarity between sequences, and second, it may perform the actual analysis.
  • Distance measurement may be done using measurement methods such as string comparison methods. Examples of such methods are edit distance, i.e., what is the minimum number of operations needed to transform one string into the other, or Boyer-Moore string matching, i.e., preprocessing the target response action that is being searched for, but not the sequence being searched, as described, for example, by Richard 0. Duda et al. in Wiley, "Pattern Classification", 2nd ed, 2001, page 416.
  • Other distance measurements that may be used include Hamming distance measurements, or probability estimates using, for example, Markov sequences . After the distance between two sequences is measured, logic unit 244 may perform the actual analysis of the sequence.
  • databases 245 or 265A include tagged sequences (i.e., previously identified)
  • a new sequence may be tagged using machine learning methods such as support-vector machines (SVM) , as described, for example, by Richard 0. Duda et al. in "Pattern Classification", page 259, mentioned above.
  • SVM support-vector machines
  • Another applicable tagging method employs nearest neighbor classification, in which the tagging given to the new sequence may be determined by a majority vote between the k nearest neighbors to the sequence being tagged, where k is an integer determined during training of the classifier. A more detailed description of this classification method may be found, for example, in the "Pattern Classification" reference mentioned above at page 182.
  • sequences When the sequences are not tagged, they may be clustered together into similar sequences using k-means, agglomerative clustering, etc, as described, for example, in the "Pattern Classification" reference mentioned above, at pages 527 and 552, respectively.
  • a mirror operation may be performed by response action determination unit 262 to determine which response action is to be performed in response to an unidentified sequence, or which response action is to be performed from any of several applicable response actions.
  • clustering algorithms may be executed to determine whether the unidentified sequence belongs to a known cluster, and as such, one or more response actions may be applicable to it.
  • machine learning algorithms may be executed to determine which response action is the most applicable. It should be noted that response action determination unit 262 may transfer the unidentified sequence or any of the applicable response actions to the operator 28 for human analysis.
  • system 20 belongs to an administration and support division of an organization, and users 22 are end-users of the organization. Users 22 may be required to perform end-point operations, such as but not limited to installation of new software applications on their stations 24, changing the definitions or configurations of the applications they work on, etc.
  • users 22 may receive a message with a link to a new software package, saved in a central place, to be installed on their station with instructions how to perform the installation. Some users may not follow the exact instructions, and therefore the installation process will fail. In other cases, even though user 24 follows the installation process correctly, it may fail due to conflicts with other software applications installed on his station. Such a conflict may be a result of competing resources, compatibility issues, etc. The installation may fail due to many other reasons, such as, but not limited to, connection failure to the location where the software package is found.
  • Fig. 3 is a flow chart diagram that schematically illustrates a method of automatic identification of installation sequences, in accordance with an embodiment of the present invention.
  • a sequence tracker unit continuously monitors for installation sequences reported by the input receiver unit of the station of each user, at an installation monitoring step 50.
  • the user may report the failure manually, for example, by clicking a UI button, or in any other way, in a reporting failure step 52.
  • a preliminary analysis of the sequences may be performed and an automatic failure report may be generated, at an automatic failure report 52A.
  • This report may include, for example a list of the sequences leading to the failure, as well as pertinent information such as link description, replica, author, target, server name, etc.
  • a response action may be automatically or manually transferred to the user, at a transferring known response action step 62.
  • a manual transfer of the known response action may be performed by an operator of the administration and support division of the organization, or by an operator of a helpdesk call center.
  • the reported the sequence may be transferred to an administrator in the administration and support division of the organization, or to an operator of a helpdesk call center, at a transfer sequence step 56.
  • the operator may contact the user that performed the new sequence for immediate support, at an immediate supporting step 58, and may transfer the response action, at transfer known response action step 62.
  • the operator may store the solution for future use in response to the sequence which has been identified, at a storing response action step 60.
  • system 20 belongs to an administration and support division of an organization, and users 22 are end-users of the organization. Users 22 may be required to comply with the security policy of the organization. As such, they may be prohibited from performing certain actions, such as, for example, downloading material from web sites that are not permitted according to the security policy, sending e-mails with confidential information, etc.
  • the organization wishes to protect its computer systems from infection by malicious code.
  • Fig. 4 is a flow chart diagram that schematically illustrates a method for automatically identification of malicious or undesired sequences, in accordance with an embodiment of the present invention.
  • a security policy may be established, and undesired or malicious sequences may be defined by a security manager or automatically as was described in detail above, at a preliminary security policy establishment step 70.
  • a sequence tracker unit continuously monitors sequences reported by input receiver unit 242, at a monitoring step 72. When a potentially suspicious sequence is identified at the monitoring step, the sequence may be applied to the logic unit, at a sequence application step 74. The logic unit may analyze the sequence and compare it to a list of identified malicious sequences at a sequence analysis step 76.
  • a response action may be automatically or manually transferred to the user, at a transferring known response action step 84.
  • the response action may be, for example, shutting down the station, or closing the software application that generated the malicious sequence.
  • sequence may be transferred to a central repository of the organization, at a transfer sequence step
  • the examination may be done by the security manager, or, for example, automatically by quarantining and examining software in an isolated environment.
  • a response action may be determined, at a determining response action step 82, and the response action is applied to the station that generated the malicious sequence, at the transferring known response action step 84 mentioned above.
  • the response action may be stored for future use in response to the sequence which is now already identified (not shown) .
  • Software programming code that embodies aspects of the present invention is typically maintained in permanent storage, such as a computer readable medium.
  • Such software programming code may be stored on a client or server.
  • the software programming code may be embodied on any of a variety of known media for use with a data processing system. This includes, but is not limited to, magnetic and optical storage devices such as disk drives, magnetic tape, compact discs (CD's), digital video discs (DVD's), and computer instruction signals embodied in a transmission medium with or without a carrier wave upon which the signals are modulated.
  • the transmission medium may include a communications network, such as the Internet.
  • the invention may be embodied in computer software, the functions necessary to implement the invention may alternatively be embodied in part or in whole using hardware components such as application-specific integrated circuits or other hardware, or some combination of hardware components and software.
  • the present invention is typically implemented as a computer program product, comprising a set of program instructions for controlling a computer or similar device. These instructions can be supplied preloaded into a system or recorded on a storage medium such as a CD-ROM, or made available for downloading over a network such as the Internet or a mobile telephone network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Debugging And Monitoring (AREA)
  • Input From Keyboards Or The Like (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention concerne une méthode, un appareil et un système pour identifier des séquences d'entrée. Cette méthode surveille une pluralité d'instructions reçues par un dispositif d'entrée d'un ordinateur, analyse ces instructions pour identifier une séquence d'instructions, et en réaction à l'identification de cette séquence, détermine une action de réaction à exécuter par l'ordinateur. L'appareil de l'invention comprend une unité de traçage de séquences pour tracer une séquence sélectionnée à identifier à partir d'une pluralité d'instructions reçues par un dispositif d'entrée, une unité logique pour analyser la séquence sélectionnée, une première base de données comportant une pluralité de séquences identifiées, chaque séquence identifiée étant couplée à au moins une action de réaction connue, et une unité de détermination d'action de réaction pour déterminer une action de réaction correspondant à la séquence sélectionnée, si la séquence sélectionnée n'est pas couplée à l'action de réaction connue de la base de données, ou si la séquence sélectionnée est couplée à une pluralité d'actions de réponses connues.
PCT/EP2006/065312 2005-08-24 2006-08-15 Identification de sequences d'entree WO2007023107A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/210,922 2005-08-24
US11/210,922 US20070050755A1 (en) 2005-08-24 2005-08-24 Identification of input sequences

Publications (1)

Publication Number Publication Date
WO2007023107A1 true WO2007023107A1 (fr) 2007-03-01

Family

ID=37433911

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2006/065312 WO2007023107A1 (fr) 2005-08-24 2006-08-15 Identification de sequences d'entree

Country Status (3)

Country Link
US (1) US20070050755A1 (fr)
TW (1) TW200736951A (fr)
WO (1) WO2007023107A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080021828A1 (en) * 2006-07-19 2008-01-24 Pfeiffer Jefrey O Method and apparatus for automatically obtaining financial information from a financial institution

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100031248A1 (en) * 2008-07-31 2010-02-04 Microsoft Corporation Installation Sequence Manager
US8977848B1 (en) * 2011-11-15 2015-03-10 Rockwell Collins, Inc. Method and system for reconciling safety-critical and high assurance security functional requirements between safety and security domains
TWI515598B (zh) 2013-08-23 2016-01-01 國立交通大學 產生純化惡意程式的方法、偵測惡意程式之方法及其系統
US10572821B1 (en) * 2015-04-09 2020-02-25 Innovative Defense Technologies, LLC Method and system for anthropomorphic interaction and automation of computer systems
US9646430B2 (en) * 2015-06-15 2017-05-09 Deere & Company Vehicle operation management system with automatic sequence detection
US10346291B2 (en) * 2017-02-21 2019-07-09 International Business Machines Corporation Testing web applications using clusters
US20210200955A1 (en) * 2019-12-31 2021-07-01 Paypal, Inc. Sentiment analysis for fraud detection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000034847A1 (fr) * 1998-12-08 2000-06-15 Visa International Service Association Detection d'intrusion dans un reseau informatique
US20030009693A1 (en) * 2001-07-09 2003-01-09 International Business Machines Corporation Dynamic intrusion detection for computer systems

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE69031295T2 (de) * 1989-06-19 1998-04-02 Digital Equipment Corp Anordnung zur Integration von Anwendungsprogrammen in einem digitalen Datenverarbeitungssystem
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5421006A (en) * 1992-05-07 1995-05-30 Compaq Computer Corp. Method and apparatus for assessing integrity of computer system software
US6463538B1 (en) * 1998-12-30 2002-10-08 Rainbow Technologies, Inc. Method of software protection using a random code generator
US6690392B1 (en) * 1999-07-15 2004-02-10 Gateway, Inc. Method system software and signal for automatic generation of macro commands
US6775780B1 (en) * 2000-03-16 2004-08-10 Networks Associates Technology, Inc. Detecting malicious software by analyzing patterns of system calls generated during emulation
EP1225513A1 (fr) * 2001-01-19 2002-07-24 Eyal Dotan Méthode de protection des logiciels et des données informatiques d'un logiciel hostile
US6944772B2 (en) * 2001-12-26 2005-09-13 D'mitri Dozortsev System and method of enforcing executable code identity verification over the network
US7051322B2 (en) * 2002-12-06 2006-05-23 @Stake, Inc. Software analysis framework

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000034847A1 (fr) * 1998-12-08 2000-06-15 Visa International Service Association Detection d'intrusion dans un reseau informatique
US20030009693A1 (en) * 2001-07-09 2003-01-09 International Business Machines Corporation Dynamic intrusion detection for computer systems

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LUNT T F ET AL: "Knowledge-based intrusion detection", AI SYSTEMS IN GOVERNMENT CONFERENCE, 1989.,PROCEEDINGS OF THE ANNUAL WASHINGTON, DC, USA 27-31 MARCH 1989, WASHINGTON, DC, USA,IEEE COMPUT. SOC. PR, US, 27 March 1989 (1989-03-27), pages 102 - 107, XP010015634, ISBN: 0-8186-1934-1 *
SNAPP S R ET AL: "A system for distributed intrusion detection", COMPCON SPRING '91. DIGEST OF PAPERS SAN FRANCISCO, CA, USA 25 FEB.-1 MARCH 1991, LOS ALAMITOS, CA, USA,IEEE COMPUT. SOC, US, 25 February 1991 (1991-02-25), pages 170 - 176, XP010022505, ISBN: 0-8186-2134-6 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080021828A1 (en) * 2006-07-19 2008-01-24 Pfeiffer Jefrey O Method and apparatus for automatically obtaining financial information from a financial institution

Also Published As

Publication number Publication date
TW200736951A (en) 2007-10-01
US20070050755A1 (en) 2007-03-01

Similar Documents

Publication Publication Date Title
US20210273958A1 (en) Multi-stage anomaly detection for process chains in multi-host environments
US9251345B2 (en) Detecting malicious use of computer resources by tasks running on a computer system
US20070050755A1 (en) Identification of input sequences
KR100714157B1 (ko) 컴퓨터 기반 방법, 컴퓨터 판독 가능 기록 매체 및 데이터 처리 시스템
US9280661B2 (en) System administrator behavior analysis
EP2893447B1 (fr) Systèmes et procédés de détection automatique d'anomalie de mémoire et d'exécution de fil dans un réseau informatique
CN101777062B (zh) 场境感知的实时计算机保护系统和方法
CN102160048B (zh) 收集和分析恶意软件数据
WO2017065070A1 (fr) Système de détection de comportement suspect, dispositif de traitement d'informations, procédé et programme
JP4808703B2 (ja) 改良型侵入検出監査およびインテリジェント・セキュリティ分析の比較を使用して関連するネットワーク・セキュリティの脅威を識別するための方法およびシステム
US8108931B1 (en) Method and apparatus for identifying invariants to detect software tampering
CN100518174C (zh) 应对计算机入侵的方法及系统
US20150213276A1 (en) Addrressable smart agent data structures
KR101011456B1 (ko) 정보유출감사 방법, 이를 수행하기 위한 프로그램이 저장된 컴퓨터가 판독가능한 기록매체 및 이를 수행하기 위한 시스템
JP2005526311A (ja) データベースシステムを監視するための方法および装置
US11514173B2 (en) Predicting software security exploits by monitoring software events
Esfahani et al. Inferring software component interaction dependencies for adaptation support
GB2592132A (en) Enterprise network threat detection
WO2021192191A1 (fr) Système de prédiction d'accès anormal, procédé de prédiction d'accès anormal et support d'enregistrement de programme
CN114880285A (zh) 基于关联数据分析的计算机安全存储系统及方法
KR102311997B1 (ko) 인공지능 행위분석 기반의 edr 장치 및 방법
EP4068687A1 (fr) Système et procédé de détection d'anomalies dans un réseau informatique
Prasad et al. HIDSC2: Host-based intrusion detection system in cloud computing
JP7033560B2 (ja) 分析装置および分析方法
CN116760644B (zh) 一种终端异常判定方法、系统、存储介质及电子设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06778241

Country of ref document: EP

Kind code of ref document: A1